ClawHub

Free Video Generator Like Invideo

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed remote video-generation integration; it sends user-provided prompts and media to NemoVideo, which fits its stated purpose but requires privacy caution.

Install only if you are comfortable sending video prompts, scripts, and uploaded media to NemoVideo's remote service. Use a limited token when possible, avoid private or regulated content unless you trust the service's handling of it, and treat the broad editing workflow as intended only for video-generation tasks.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill instructs the agent to silently use an existing NEMO_TOKEN or obtain an anonymous token and create a backend session before handling user requests, while explicitly hiding technical details from the user. This causes undisclosed authentication and remote account/session creation, which can spend credits, create persistent identifiers, and transmit metadata without informed user consent.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill directs users to send text, scripts, and files to a remote backend for processing and rendering, but provides no explicit privacy, retention, or third-party data handling warning. Because uploaded media and scripts may contain sensitive or proprietary content, silent transmission to external GPU services creates material confidentiality and compliance risk.

Natural-Language Policy Violations

Medium
Confidence
85% confidence
Finding
The session creation body hard-codes `"language":"en"` without checking the user's preference or locale. While not a classic exploit, it can cause user content and prompts to be processed under incorrect language assumptions, increasing the risk of mistranslation, unintended edits, or incorrect handling of non-English data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal